The Cybercrime Treaty vs Hack Back Bill

There are two conflicting cybercrime regulations in the making, one
national and the other one international. Which one deserves to be supported
and why should you know this?

National: Hack back Bill

The US Congress has been considering a law relating to cybersecurity
defence named as ‘Active Cyber Defense Certainty Act’ (ACDC). This
proposed bill is intended to defend organisations against cyber intrusions by
retaliating. In other words, the projected regulation would allow boards and
executives to decide on utilising an active cyber defence by hacking back.

The bill proponents presume that most defenders would likely
use active-defence techniques to perform ‘deep reconnaissance’ of the hackers
who originated the attack. As explained, a defender, for example, using
active-defence techniques could ‘follow the bread crumbs’ back to the source of
the attack. They could then attempt to attribute the source, ‘naming and
shaming’ the attacker, turn over relevant information to law enforcement, or simply
learn the ‘vector’ that the attacker took to execute the original malicious
attack and avoid it.

It is not further elucidated that the federal government should
play a crucial role in investigating and prosecuting cyber-crimes but it shouldn’t
stand in the way of victims who are capable of responding to an ongoing attack,
nor should it stand in the way of industry innovating and creating new
active-defence techniques.

The justification is that hacking back guidelines would help
a much larger number of cybercrimes to be prosecuted.

International: UN Cybercrime Treaty proposal

In December 2019, the United Nations Assembly met to vote on
a Russian-led resolution on cybercrime that suggests the establishment of a
committee of experts to consider a new UN cybercrime treaty.

This resolution reflects Russia’s and some BRICS countries (including South Africa) long-standing
goal to replace the Council of Europe’s Budapest Convention, which is the only
international instrument addressing this issue but considered already outdated.

In fact, the Russian initiative goes back to 2001 when they
tabled a draft resolution at UN named the ‘Developments in the field of
information and telecommunications in the context of international security’. Later,
the same year, Russia proposed the establishment of the UN Group of
Governmental Experts (UN GGE). The group was tasked to review potential and
existing threats to information security, examine possible ways of cooperation
between the UN member states, and perform a study of international information
security issues.

At the first GGE convened in 2004, Russia, China and Brazil
had called for state sovereignty over information security. The US had opposed
such calls for state control of information, considering the move to be
political, culturally and socially disruptive.

The GGE 2009 report endorsed dialogues on norms for states’
use of ICT to reduce risk and protect critical infrastructure. It also recommended risk reduction methods,
including the use of ICT during the conflict.

It is at this time that other countries (including China and
South Africa) became increasingly aligned with Russia, consistently arguing
that the 2004 Budapest Convention is outdated. Fast forward to 2019, this resulted in the
passing of Russia’s current resolution.

The final vote showed that 79 countries agreed with the resolution
while 60 nation-states, aligned with the US, opposed it. Some 33 countries abstained.
The vote was largely along the same ‘traditional’ political dividing lines.

Although those countries that voted against the resolution raised
serious human rights concerns, the majority of the nation-states agree that the
global negotiations on the cybercrime treaty represent a positive move in the
right direction.

Why you should know this?

One of the problems with the adoption and application of the
ACDC might arise when organisations try to retaliate but are not really in the
best position to do so. This particularly can happen in the situation when
trying to retaliate to well-organised syndicates or the state actors. The consequences
will be even more disastrous.

Secondly, many cyber-attacks function by using very hard to navigate
and regulate ‘dark web’. Any counteraction,
even by a mighty government entity, runs the risk of being founded on
incomplete or misleading information in the first place, cautions the Quartz portal.

What happens if well-intentioned defenders truly believe
they have identified the source of a cyber-crime, and even have evidence that
points to a specific actor/s but it turns out they were wrong? Would the retaliating
company and the individual in charge be prosecuted? Would they have safe harbour
protection?

The above questions posed by the Quartz portal, suggest that the adoption of the US hack
back bill could potentially have disastrous consequences not just for the retaliate
organisations but for the worldwide economy and stability.

Even worse, will the nation-state on the other end of an
attack consider this retaliation as an act of war and respond with the kinetic weapon?
Possibly, yes.

As we have spotlighted
recently, this already had happened. The Israeli Defence Force (IDF)
response against cyber attackers was decisive and literally with the ‘bang’.
Israel bombed hackers from Gaza! The IDF flattened a building allegedly used by
hackers from Hamas.

In the freshest conflict between the US and Iran, the latter
already pulls some cyber punches in a retaliatory attack to the killing of its high
ranked general. The Iranian hackers briefly took over and defaced a website for
the Federal Depository Library Program. This looks as only warning that might
escalate to a substantial cyberwar.

Will the US respond with its massive cyber offensive
capabilities? Or will it retaliate with its mighty kinetic weapons? It is still
to be seen but the situation is highly volatile.

As FBI Director Christopher Wray commented, “We don’t think it’s a good idea for private industry to take it upon themselves to retaliate by hacking back at somebody who hacked them”.

Former FBI director James Comey also expressed concern that any kind of active defence strategy could impede the FBI’s own law enforcement efforts. This is especially true now as cybercrime and geopolitics become more and more intertwined.

This brings us to the Russian proposed UN Cybercrime Treaty.
We do not necessarily promote this particular treaty proposal but are in favour
of negotiations and reaching global arrangements. Although the discussion on
information security remained polarised as ever, reaching the common resolution
seems far better than entering into endless and spiralling retaliations that
can bring only disastrous results.